Geeks with Guns

It’s dark in the middle of Kansas on a lonely road.
High winds and pelting rain bring visions of tornadoes
and death by flying cows. A lone police cruiser spots
a suspicious van prowling slowly past. Is it a distant
relative trying to read shadowy mailboxes? A crack cocaine
dealer searching for the lab? Pizza Hut? Should our courageous
Kansas cop call for back up? Offer to help? Head for the
safety of Burger King? A quick check via the officer’s
on-board laptop accesses the central database in Topeka.
The answer comes back quickly. No arrests, no warrants.
No recent drug activity or reason for suspicion in this
neck of the woods. The van isn’t on anybody’s
list of stolen vehicles, and it doesn’t fit any known
criminal activity definition. The van pulls in at the
next driveway. The cruiser continues on.

We all know the technology that makes this possible.
But how is it made secure? What’s to prevent someone
from intercepting this information or, worse still, changing
it? What keeps criminals out of the criminal databases
that are now linked to the Internet?

This month I’m going to take you through a solution
developed for the Kansas Bureau of Investigation by FishNet
Consulting, Inc., an Internet security consulting firm
based in Kansas City. If you think you have a tough review
committee to face before you can implement a VPN, consider
that this system had to be reviewed by a U.S. National
Security Subcommittee! It turns out the KBI choices mirror
ours, albeit at a higher level of intensity than some
of us are used to.

Kansas-Style Security

You know the drill. Cops on the beat need information.
From a car’s license plate they can get that information—if
they have enough time. Investigators need information
too, to solve crimes and maybe prevent them. Fingerprint
matches, mug shots, criminal history... but where do they
get it? Kansas isn’t exactly New York City. There
are miles and miles of highways and dirt roads. One hundred
and fifty counties, many of them rural, contain hundreds
of small communities with few dollars for sophisticated
leased-line solutions and fewer police officers.

The KBI wasn’t really seeking a security solution.
They wanted an information solution and knew it had to
be very secure. In fact, the FBI doesn’t allow any
criminal information database to use the Internet unless
a high level of security can be proved. Representatives
from KBI and FishNet Consulting had to travel to Washington,
D.C. and present their solution before the National Security
Subcommittee.

What makes it even more unusual—and of interest
to us in talking about security products—is the fact
that it’s the first Internet-based criminal information
solution and that it’s the result of combining six
security products. This solution may prove to be the model
for other states; it’s currently considered to be
ahead of even what the FBI has.

Until recently, Kansas cops relied on frame relay, car
radios, the telephone, and snail mail to connect to the
rest of the world. Their old 4.8K SNA dedicated network
connected 270 agencies and some 4,000 users. Data was
often dispersed and not always easy or quick to be found.
Now, however, security products, laptops, and Internet
access can provide quick, cheap, mobile resources to tap
centralized databases of information. Currently, the new
KBI infrastructure connects 750 criminal justice agencies
and is used by 2,500 individuals. By next year, the Bureau
estimates this will be a 2.5 million-seat installation.
(Implementation was approved early last fall.)

Firewall
Terms

Packet-filtering
routers—A type of firewall
in which packet-filtering routers filter
each packet through a set of rules. The
source and destination address are examined
to see if they’re excluded by a rule
that’s been configured on the router.
Packets not denied access are passed.
Adding more rules decreases performance.
Examination is at a low level. Data in
the packet isn’t examined. While
packet-filtering routers are often used
as firewalls, they’re considered
easily fooled and not a good choice for
your only security defense.

Application firewalls—Dual
homed interfaces to two separate networks,
such as your network and the Internet.
Examination is at a higher level, the
application level. Packets not explicitly
allowed access will be denied. Characteristics
other than source and destination address
are considered.

Stateful inspection—Communication-
and application-derived state and context
information is examined and updated
dynamically. Stateful inspection and
action occurs before the communication
enters the operating system of the gateway.

Two-factor authentication—The
use of a something only the user knows—a
memorized personal ID number or password—and
something unique that the user possesses—a
device or physical attribute such as
fingerprints.

Dual-homed or multihomed—Computers
with multiple interfaces, for example,
ones with two or more NICs that connect
them to two or more separate networks.

The Products that Make It Happen

We all know that passwords can be cracked. Two-factor
authentication keyfobs (hardware authentication tokens)
from Security Dynamics Technologies, Inc. provide the
KBI with six-digit ID numbers that change every 60 seconds.
Each police officer has this and a private PIN. He or
she needs both the physical access provided by a computer
and modem (or other connection to the Internet) and the
ID number and PIN to get the information described previously.
Would-be intruders would need all four components as well
as knowledge of the access points and how to use the software.
At headquarters in Topeka, a Check Point Software Technologies
Ltd. FireWall-1 sits between the data and the Internet.
Check Point’s VPN-1 software encrypts all data. Encryption
accelerator boards from Chrysalis-ITS speed this process.
Entrust Technologies’ public key infrastructure provides
certificates and Internet Security Systems, Inc.’s
RealSecure intrusion detection software keeps a watchful
eye on all activity.

How well do all these products work together? If you’ve
been around for a while, you know that integrating various
hardware and software components isn’t always easy.
Yet, it’s desirable because it keeps us from getting
stuck in a single-vendor solution. Wouldn’t this
be harder still in a security setting?

The components in this mix were integrated by FishNet
using Check Point’s OPSEC (Open Platform for Secure
Enterprise Connectivity) API. Other security product firms
have announced similar APIs: Aventail Corp., with its
CCI or Common Content Inspection API; Finjan Software
Ltd.; and Internet Security Systems, Inc. with ANSA (Adaptive
Network Security Alliance).

These APIs will help organizations integrate security
products from multiple companies, giving birth to a new
business: security integrators. Look for other security
solutions to be comfortable associations of multiple products
linked by enterprising consulting firms.

Achieving Your Own Security Plan

Today, the question isn’t, should you get a firewall
or when, but which one? It’s not just a matter of
securing your files from attack via the Internet; it’s
a matter of securing your data and mission-critical systems
from accidental or malicious damage from within your company
as well. Special security software such as firewalls,
intrusion detection systems, badges, smart cards, and
encryption accelerator cards can help. Let’s start
by going through questions that can help you focus your
investigation on the types of protection you might need
for your enterprise-wide security solution. These are
the same questions pondered by the KBI in its planning
efforts.

How tight does security need to
be? Evaluate the inherent risk to your systems
and data. This is going to depend on your business and
the type of data you handle. Fort Knox and the FBI obviously
have a higher need for tighter security than the local
toy store. Break down this risk evaluation by asset:
payroll records, financial data, R&D vs. public
information, or details about the company picnic. If
data access needs to be protected to a higher degree,
consider a PKI—a public key infrastructure. Look
to companies like Entrust and VeriSign, Inc. for information
about certificates and PKIs. Compare and contrast with
Microsoft’s Certificate Server.

Is there a need for remote access?
Traveling salespeople, executives, network engineers.
Do these road warriors and armchair administrators carry
sensitive information on their laptops? Do they keep
it at home or can they access it from home? Could their
modem and company access numbers provide an easy path
to sensitive data? What if their laptop is stolen from
home or while on the road? Check out hardware tokens
from Security Dynamics’ SecurID. Also consider
fingerprint scanners like BioMouse Plus from American
Biometric Company.

If you offer Web access for employees,
is URL screening an issue? Should you restrict
access to known sites such as entertainment, pornography,
and/or shopping, that have nothing to do with your employees’
business pursuits? Products such as WebSENSE by NetPartners
Internet Solutions, Inc. can do just that.

Do you have a current virus detection
and protection scheme in place? Many products
now offer virus screening at the firewall level (check
offerings from Data Fellows Inc., Aladdin Knowledge
Systems, Integralis Network Systems, Symantec Corp.’s
Norton AntiVirus, and TrendMicro) to protect you from
this threat, before it reaches the network. But this
isn’t the only solution you need. Any data access
point (dial-up modems, floppies, CD-ROMs, keyboards)
can be an infection point. Computer Associates offers
server-based virus detection programs.

Do you have sensitive areas (such
as accounting or R&D) within your company that could
benefit from extra protection? Firewalls aren’t
just built for sitting between the network and the Internet.
They can also protect areas of your company from the
curious eyes and fingers of employees who have no right
to see them.

How do you monitor the use of your
network? Do you have trained personnel with hours
free to scan miles of audit logs? Or would a program
that filters and alerts you to records of interest be
important? What about the ability to generate executive-level
charts and graphs? (It seems you have to paint them
a picture sometimes or they just don’t get it.)
For help with your security audit, look into scanning
technology such as RiskPAC, a PC-based questionnaire
and knowledgebase tool from CSCI.

A firewall may or may not keep
intruders out. How are you going to find out if someone
has broken in—or if inside folks are where they
shouldn’t be? Intrusion detection software
such as Kane Security Monitor from Intrusion Detection,
Inc. or RealSecure may be part of the answer here.

Do you know how a firewall works?
Seems silly, doesn’t it? But there are different
types of firewalls that work on different principles.
Even security experts disagree on the best type of firewall.
If you don’t know what they are, how will you choose?
(And you thought this was one area where the best choice
was to hire an expert and let them make decisions for
you!)

How much data do you need to secure,
and how is it secured? How often does it change?
And how tightly does it need to be secured? If a large
amount of data must be encrypted before it moves across
the wire, encryption accelerator cards may be the solution,
especially if you’re accessing the Internet at
above-T3 speeds and/or using Triple DES (a more-advanced-than-DES
encryption algorithm), Internet Key Exchange (IKE, the
exchanging of encryption keys over the Internet). Check
out the offerings from Chrysalis-ITS for information
about encryption subsystems for network security.

How are you going to test your
security defenses? Consider scanning tools, hacker
tricks, and hiring a Tiger Team (or “piranha team”
as coined by FishNet Consulting) to investigate holes
and weakness. How about a monthly service that pulls
data from your network and provides you with reports?
Got a secure solution, you say? Technology changes every
day. Just when you thought it was OK to come in from
the cold, another dazzling new security breach gets
discovered or an employee accidentally deletes or changes
critical data. How do you protect against that?

I think you get my point here. Security isn’t a
one-time—or one-product—thing. You don’t
just decide on “a” product and believe it’s
the security solution for all times. Look carefully at
your situation and then examine the types of products
that seem to bring a solution.

Additional
Information

To learn more abou the companies and
products referenced in this story, visit
these sites:

A final note: Why expose
the Kansas Bureau of Investigation to potential attacks
by publishing its security solution? Well, why practice
security through obscurity? It’s hoped that by giving
one solution, others will develop. Besides, in true cyberspook
fashion, how do you know we’ve really exposed the
true list of products and procedures for the KBI?